Stronger Security for Reusable Garbled Circuits, General Definitions - PowerPoint PPT Presentation

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal IIT Madras

Garbled Circuits (Yao 86) Garble Circuit C: Garble(C; R) Encode Input x: Encode(x; R) ˆ ˆ Decode: ( ) = ( ) C x C x ˆ ˆ Privacy: , reveal "nothing but" ( ) C x C x Secure for only one time use.

Reusable Garbled Circuits [GKPVZ13] ˆ ˆ ˆ ˆ x x ˆ x x x 1 2 4 5 3 ˆ ˆ ˆ ˆ ˆ ˆ Decode: ( C x ), ( C x ),..... ( C x ) = ( C x ), C x ( ),..... ( C x ) 1 2 5 1 2 5 ˆ ˆ ˆ ˆ Privacy: , , C x x ,..... x reveal "nothing but" ( C x ), C x ( ),..... ( C x ) 1 2 5 1 2 5 First construction by Goldwasser et al in 2013

Functional Encryption (FE) [Sahai-Waters’05 , BSW’12] Secret Key for Circuit C: KeyGen(SK, C) SK C Decrypt: SK C , CT x → C(x) Encrypt Input x: Privacy: CT x Nothing more Enc(PK, x) Œ Input/circuit hiding  Public/Private key Ž One/Many key Security

FE from Standard Assumptions State of Art Suppose we: • Restrict Adversary to make only one query [GKPVZ13] • Restrict Adversary to make certain types of queries [GVW15] Then, have FE for all circuits

FE from Standard Assumptions State of Art Suppose we: • Restrict Adversary to make only one query [GKPVZ13]: Reusable Garbled Circuits • Restrict Adversary to make certain types of queries [GVW15]: Predicate Encryption Then, have FE for all circuits

Restricting Number of Queries: Reusable Garbled Circuits [GKPVZ13] • Adversary can request any one key of any type • Need circuit privacy, can be achieved in private key setting • Security breaks down for more than one circuit query, of any type • Can be generalized for bounded Q queries using GVW12. CT grows multiplicatively as O(Q 4 )

Restricting Type of Queries: Predicate Encryption • (“Weak Attribute Hiding”) Adversary can request any number of “0-keys” i.e. C i such that C i (x 0 ) = C i (x 1 ) =0 • May not request even single C i s.t. C i (x 0 ) = C i (x 1 ) = 1 • Current systems [GVW15,AFV11] only achieve security in weak game, even for inner product predicate encryption [AFV11].

Best Known 1 Queries 0 Queries Security Ciphertext Game query dep GKPVZ13 ≤ 1 1 - Selective (+ GVW12) (STOC, (Q with Mult. Q 4 2013) GVW12 compiler) GVW15 0 Any Selective No (CRYPTO 2015)

Our Results 1 Queries 0 Queries Security Ciphertext Game query dep GKPVZ13 ≤ 1 1 - Selective (+ GVW12) (STOC, (Q with Mult. Q 4 2013) GVW12 compiler) GVW15 0 Any Selective No (CRYPTO 2015) This Any Fixed Any Semi- Additive Q Adaptive Q 2

Additionally… • We show that prior constructions (AFV11, GVW15) supporting only 0 keys are totally insecure if attacker allowed 1 keys • Constant number of 1 keys sufficient to completely break security • Applies even to inner product functional encryption (AFV11) .

Attacks • Three attacks: – CT and SK structure: applies even to inner product encryption [AFV11] – Ciphertext evaluation method of [BGG+14] – “Lazy-OR” trick of GVW15 which leaks FHE noise • Are they surprising?

Learning With Errors è Ciphertext Distinguish “noisy inner products” from uniform s + e A A , versus A Unif ,

SIS Problem è Secret Key Given matrix A, find “short” z such that A z = 0 mod q A = 0 mod q z Many short vectors form a trapdoor for A Can be used to break LWE with matrix A

Decryption works CT s + e A when matrices match SK A = 0 z

Attack # 1 • Request keys for linearly dependent vectors • Combine keys to get short vectors, hence trapdoor in certain lattice A* • Manipulate challenge CT to get LWE sample with matrix B* • A* and B* only match for decrypting keys • Lessons: Inherent vulnerability for “attribute hiding” scheme with this structure

Attack # 2 • Regardless of circuit complexity, decryption leaks linear function of noise terms. • Given few decrypting keys, attacker can recover noise terms, LWE secret, hence all attributes. • Lessons: Inherent asymmetry between 0 and 1 queries in this method of evaluation.

Construction • Extend Predicate encryption to subsume reusable garbled circuits. • Yields new construction of reusable garbled circuits with stronger security than GKPVZ13 – Support for 0 queries for free – Semi-adaptive rather than selective • New techniques – Handle 1 and 0 queries differently in simulation – Program public parameters based on key to be requested in future • Extend to bounded key FE: better ciphertext size, weaker security game

Construction PE (GVW15) PE + RGC PE+RGC with Extend to with one with very semi- support Q sided selective adaptive arbitrary security security Very security New queries New Selective tricks method to semi plus adaptive more careful proof Very Selective: Adv must announce challenge message as well as function key request at start of game Semi-adaptive: Adv may see public parameters before outputting challenge

(Very) Selective to Semi-Adaptive Security • Nest selectively secure scheme Sel within adaptively secure FE for linear functions. • Generate ciphertexts for very selective game on the fly

(Very) Selective to Semi-Adaptive • Let LinFE be FE scheme so that – Decrypt ( CT(x), SK(y)) = <x;y> • ALS16 give construction of LinFE with adaptive security • Structure of Sel ciphertext C i = (A i + x i G) T s + noise May be written as inner product of vectors (A i T , G T , I ) and (s, x i s, noise)

(Very) Selective to Semi-Adaptive • Encryptor provides LinFE CT for (s, x i s, noise) • KeyGen provides both SK for: – FeLin.SK (A i T , G T , I ) – Sel.SK (y). • Decrypt – Compute Sel.CT(x) via LinFE decryption – Compute Sel decryption using Sel.CT(x), Sel.SK (y)

Conclusion • New construction of reusable garbled circuits with stronger security • New method for compiling very selective to semi adaptive security for lwe based systems • Attacks on existing predicate encryption systems: codify barrier in generalization to FE • Generalize to handle Q queries :better CT size than GVW12, but weaker security game. Thank you!